On Wed, Jan 21, 2026 at 09:46:11PM -0300, Matheus Polkorny wrote: > Hello, > > I will prepare an upload of Wireshark for trixie
Hi, I’ve imported the upstream patches to fix CVE-2026-0959, CVE-2026-0961, and CVE-2026-0962 for trixie. The wireshark.debdiff is attached for review. If this looks good to you, Samuel can proceed with the upload. The merge request is available at: https://salsa.debian.org/debian/wireshark/-/merge_requests/6 -- Thanks, Polkorny
diff -Nru wireshark-4.4.7/debian/changelog wireshark-4.4.7/debian/changelog --- wireshark-4.4.7/debian/changelog 2025-06-10 11:45:06.000000000 -0300 +++ wireshark-4.4.7/debian/changelog 2026-01-21 21:07:15.000000000 -0300 @@ -1,3 +1,16 @@ +wireshark (4.4.7-1+deb13u1) trixie-security; urgency=medium + + * Team upload. + * d/patches: + - CVE-2026-0959.patch: Import Upstream patch to fix CVE-2026-0959 + - CVE-2026-0961.patch: Import Upstream patch to fix CVE-2026-0961 + - CVE-2026-0962.patch: Import Upstream patch to fix CVE-2026-0962 + - Refresh patches: + 0001-tools-Use-esnacc-instead-of-snacc-in-asn2deb.patch + 0004-Use-packaged-JS-and-CSS-resources-instead-of-pulling.patch + + -- Matheus Polkorny <[email protected]> Wed, 21 Jan 2026 21:07:15 -0300 + wireshark (4.4.7-1) unstable; urgency=medium * Upload to unstable (Closes: #1107515) diff -Nru wireshark-4.4.7/debian/patches/0001-tools-Use-esnacc-instead-of-snacc-in-asn2deb.patch wireshark-4.4.7/debian/patches/0001-tools-Use-esnacc-instead-of-snacc-in-asn2deb.patch --- wireshark-4.4.7/debian/patches/0001-tools-Use-esnacc-instead-of-snacc-in-asn2deb.patch 2025-06-10 11:45:06.000000000 -0300 +++ wireshark-4.4.7/debian/patches/0001-tools-Use-esnacc-instead-of-snacc-in-asn2deb.patch 2026-01-21 21:07:15.000000000 -0300 @@ -1,4 +1,3 @@ -From 6f7831516648cf70cb76d12a4b05c041279d40ba Mon Sep 17 00:00:00 2001 From: Balint Reczey <[email protected]> Date: Mon, 21 Oct 2024 12:27:09 +0200 Subject: [PATCH] tools: Use esnacc instead of snacc in asn2deb @@ -12,7 +11,7 @@ 3 files changed, 5 insertions(+), 5 deletions(-) diff --git a/doc/man_pages/asn2deb.adoc b/doc/man_pages/asn2deb.adoc -index e02844ccf6..f043d27a89 100644 +index e02844c..f043d27 100644 --- a/doc/man_pages/asn2deb.adoc +++ b/doc/man_pages/asn2deb.adoc @@ -33,7 +33,7 @@ asn2deb - Create a Debian package for BER monitoring from ASN.1 @@ -34,7 +33,7 @@ == COPYING diff --git a/packaging/debian/control b/packaging/debian/control -index de03518dcf..d5a51c1eb1 100644 +index 0c713b9..13987ae 100644 --- a/packaging/debian/control +++ b/packaging/debian/control @@ -125,7 +125,7 @@ Package: wireshark-dev @@ -47,7 +46,7 @@ Description: network traffic analyzer - development tools Wireshark is a network "sniffer" - a tool that captures and analyzes diff --git a/tools/asn2deb b/tools/asn2deb -index 926d34e2e5..7f0bbc78ef 100755 +index 926d34e..7f0bbc7 100755 --- a/tools/asn2deb +++ b/tools/asn2deb @@ -4,7 +4,7 @@ @@ -68,6 +67,3 @@ Package: wireshark-asn1-%s Architecture: all --- -2.43.0 - diff -Nru wireshark-4.4.7/debian/patches/0004-Use-packaged-JS-and-CSS-resources-instead-of-pulling.patch wireshark-4.4.7/debian/patches/0004-Use-packaged-JS-and-CSS-resources-instead-of-pulling.patch --- wireshark-4.4.7/debian/patches/0004-Use-packaged-JS-and-CSS-resources-instead-of-pulling.patch 2025-06-10 11:45:06.000000000 -0300 +++ wireshark-4.4.7/debian/patches/0004-Use-packaged-JS-and-CSS-resources-instead-of-pulling.patch 2026-01-21 21:07:15.000000000 -0300 @@ -4,9 +4,11 @@ https://gitlab.com/wireshark/wireshark/-/issues/19013#note_1682959548 --- - ipmap.html | 20 +++++--------------- - 1 file changed, 5 insertions(+), 15 deletions(-) + resources/share/wireshark/ipmap.html | 31 ++++++++++++++++--------------- + 1 file changed, 16 insertions(+), 15 deletions(-) +diff --git a/resources/share/wireshark/ipmap.html b/resources/share/wireshark/ipmap.html +index fa8b542..b3f7b67 100644 --- a/resources/share/wireshark/ipmap.html +++ b/resources/share/wireshark/ipmap.html @@ -2,15 +2,9 @@ @@ -28,7 +30,7 @@ <!-- <link rel="stylesheet" href="https://unpkg.com/[email protected]/dist/leaflet-measure.css"; integrity="sha512-wgiKVjb46JxgnGNL6xagIy2+vpqLQmmHH7fWD/BnPzouddSmbRTf6xatWIRbH2Rgr2F+tLtCZKbxnhm5Xz0BcA==" -@@ -43,12 +37,14 @@ +@@ -43,12 +37,14 @@ html, body { .range-control-input { padding: 0; width: 130px; } .range-control-input, .range-control-label { vertical-align: middle; } </style> @@ -49,7 +51,7 @@ <!-- <script src="https://unpkg.com/[email protected]/dist/leaflet-measure.js"; integrity="sha512-ovh6EqS7MUI3QjLWBM7CY8Gu8cSM5x6vQofUMwKGbHVDPSAS2lmNv6Wq5es5WCz1muyojQxcc8rA3CvVjD2Z+A==" -@@ -372,6 +368,11 @@ +@@ -372,6 +368,11 @@ function loadData(data) { <input type="file" id="file-picker" accept=".json,.html"></label> <p id="error-message"></p> </div> diff -Nru wireshark-4.4.7/debian/patches/CVE-2026-0959.patch wireshark-4.4.7/debian/patches/CVE-2026-0959.patch --- wireshark-4.4.7/debian/patches/CVE-2026-0959.patch 1969-12-31 21:00:00.000000000 -0300 +++ wireshark-4.4.7/debian/patches/CVE-2026-0959.patch 2026-01-21 21:07:15.000000000 -0300 @@ -0,0 +1,57 @@ +From: John Thacker <[email protected]> +Date: Sat, 10 Jan 2026 08:33:35 -0500 +Subject: ieee80211: Avoid using a fixed array for multi-link per-STA + subelements + +Since this processes to the end of the TVB, there might be more than 16. +Simplify the logic and only test for a set link_id in one place. This +also gets rid of a possible use of an uninitialized value on error. + +Fix #20939, OSS-Fuzz 474458885 +--- + epan/dissectors/packet-ieee80211.c | 12 ++---------- + 1 file changed, 2 insertions(+), 10 deletions(-) + +diff --git a/epan/dissectors/packet-ieee80211.c b/epan/dissectors/packet-ieee80211.c +index 6ed3b47..89bea94 100644 +--- a/epan/dissectors/packet-ieee80211.c ++++ b/epan/dissectors/packet-ieee80211.c +@@ -28301,7 +28301,7 @@ dissect_multi_link(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, + uint8_t multi_link_type = multi_link_control & 0x0007; + uint16_t present = multi_link_control >> 4; + int elt = 0, hf_index; +- int local_link_ids[16]; ++ wmem_strbuf_t *link_id_list = wmem_strbuf_create(pinfo->pool); + + control = proto_tree_add_item(tree, hf_ieee80211_eht_multi_link_control, tvb, + offset, 2, ENC_LITTLE_ENDIAN); +@@ -28590,9 +28590,6 @@ dissect_multi_link(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, + multi_link_type, &link_id); + + offset += overhead; /* Account for the overhead in the subelt */ +- if (link_id != -1) { +- local_link_ids[elt] = link_id; +- } + break; + case 221: + /* Add an expert info saying there are none so far? */ +@@ -28603,18 +28600,13 @@ dissect_multi_link(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, + break; + } + if (link_id != -1) { ++ wmem_strbuf_append_printf(link_id_list, (elt == 0) ? "%d" : "_%d", link_id); + elt++; + } + } + proto_tree_add_uint(tree, hf_index, tvb, 0, 0, elt); + + if (elt) { +- wmem_strbuf_t *link_id_list = wmem_strbuf_new_sized(pinfo->pool, elt * 2); +- for (int i = 0; i < elt; i++) { +- if (local_link_ids[i] != -1) { +- wmem_strbuf_append_printf(link_id_list, (i == 0) ? "%d" : "_%d", local_link_ids[i]); +- } +- } + proto_tree_add_string(tree, hf_ieee80211_eht_multi_link_link_id_list, tvb, + 0, 0, link_id_list->str); + } diff -Nru wireshark-4.4.7/debian/patches/CVE-2026-0961.patch wireshark-4.4.7/debian/patches/CVE-2026-0961.patch --- wireshark-4.4.7/debian/patches/CVE-2026-0961.patch 1969-12-31 21:00:00.000000000 -0300 +++ wireshark-4.4.7/debian/patches/CVE-2026-0961.patch 2026-01-21 21:07:15.000000000 -0300 @@ -0,0 +1,28 @@ +From: Darius Davis <[email protected]> +Date: Mon, 1 Dec 2025 17:47:28 +1000 +Subject: BLF: Validate length of uncompressed segments. + +When a container's data is not compressed, its actual length should equal the +length of the data stored in the file. + +Fixes #20880. +--- + wiretap/blf.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/wiretap/blf.c b/wiretap/blf.c +index 0075936..528ccb0 100644 +--- a/wiretap/blf.c ++++ b/wiretap/blf.c +@@ -793,6 +793,11 @@ blf_pull_logcontainer_into_memory(blf_params_t *params, blf_log_container_t *con + } + + if (container->compression_method == BLF_COMPRESSION_NONE) { ++ if (data_length != container->real_length) { ++ *err = WTAP_ERR_BAD_FILE; ++ *err_info = ws_strdup("blf_pull_logcontainer_into_memory: uncompressed data has wrong length"); ++ return false; ++ } + unsigned char* buf = g_try_malloc((size_t)container->real_length); + if (buf == NULL) { + *err = WTAP_ERR_INTERNAL; diff -Nru wireshark-4.4.7/debian/patches/CVE-2026-0962.patch wireshark-4.4.7/debian/patches/CVE-2026-0962.patch --- wireshark-4.4.7/debian/patches/CVE-2026-0962.patch 1969-12-31 21:00:00.000000000 -0300 +++ wireshark-4.4.7/debian/patches/CVE-2026-0962.patch 2026-01-21 21:07:15.000000000 -0300 @@ -0,0 +1,136 @@ +From: Gerald Combs <[email protected]> +Date: Mon, 12 Jan 2026 17:01:48 -0800 +Subject: SOME/IP-SD: Fix a buffer overflow + +Make sure we don't write past the end of our option port array. Make our +option count unsigned. + +Fixes #20945 + +(cherry picked from commit 55ec8b3db4968c97115f014fb5974206cdf57454) + +Conflicts: + epan/dissectors/packet-someip-sd.c +--- + epan/dissectors/packet-someip-sd.c | 30 ++++++++++++++++++------------ + 1 file changed, 18 insertions(+), 12 deletions(-) + +diff --git a/epan/dissectors/packet-someip-sd.c b/epan/dissectors/packet-someip-sd.c +index 1a348d3..b36a2fc 100644 +--- a/epan/dissectors/packet-someip-sd.c ++++ b/epan/dissectors/packet-someip-sd.c +@@ -269,6 +269,7 @@ static expert_field ei_someipsd_option_unknown; + static expert_field ei_someipsd_option_wrong_length; + static expert_field ei_someipsd_L4_protocol_unsupported; + static expert_field ei_someipsd_config_string_malformed; ++static expert_field ei_someipsd_too_many_options; + + /*** prototypes ***/ + void proto_register_someip_sd(void); +@@ -301,13 +302,13 @@ someip_sd_register_ports(uint32_t opt_index, uint32_t opt_num, uint32_t option_c + } + + static void +-dissect_someip_sd_pdu_option_configuration(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, uint32_t offset, uint32_t length, int optionnum) { ++dissect_someip_sd_pdu_option_configuration(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, uint32_t offset, uint32_t length, unsigned optionnum) { + uint32_t offset_orig = offset; + const uint8_t *config_string; + proto_item *ti; + proto_tree *subtree; + +- tree = proto_tree_add_subtree_format(tree, tvb, offset, length, ett_someip_sd_option, NULL, "%d: Configuration Option", optionnum); ++ tree = proto_tree_add_subtree_format(tree, tvb, offset, length, ett_someip_sd_option, NULL, "%u: Configuration Option", optionnum); + + /* Add common fields */ + proto_tree_add_item(tree, hf_someip_sd_option_length, tvb, offset, 2, ENC_BIG_ENDIAN); +@@ -344,8 +345,8 @@ dissect_someip_sd_pdu_option_configuration(tvbuff_t *tvb, packet_info *pinfo, pr + } + + static void +-dissect_someip_sd_pdu_option_loadbalancing(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, uint32_t offset, uint32_t length, int optionnum) { +- tree = proto_tree_add_subtree_format(tree, tvb, offset, length, ett_someip_sd_option, NULL, "%d: Load Balancing Option", optionnum); ++dissect_someip_sd_pdu_option_loadbalancing(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, uint32_t offset, uint32_t length, unsigned optionnum) { ++ tree = proto_tree_add_subtree_format(tree, tvb, offset, length, ett_someip_sd_option, NULL, "%u: Load Balancing Option", optionnum); + + /* Add common fields */ + proto_tree_add_item(tree, hf_someip_sd_option_length, tvb, offset, 2, ENC_BIG_ENDIAN); +@@ -364,7 +365,7 @@ dissect_someip_sd_pdu_option_loadbalancing(tvbuff_t *tvb, packet_info *pinfo _U_ + } + + static void +-dissect_someip_sd_pdu_option_ipv4(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, uint32_t offset, uint32_t length, int optionnum, uint32_t option_ports[]) { ++dissect_someip_sd_pdu_option_ipv4(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, uint32_t offset, uint32_t length, unsigned optionnum, uint32_t option_ports[]) { + uint8_t type = 255; + const char *description = NULL; + uint32_t l4port = 0; +@@ -377,7 +378,7 @@ dissect_someip_sd_pdu_option_ipv4(tvbuff_t *tvb, packet_info *pinfo, proto_tree + + type = tvb_get_uint8(tvb, offset + 2); + description = val_to_str(type, sd_option_type, "(Unknown Option: %d)"); +- tree = proto_tree_add_subtree_format(tree, tvb, offset, length, ett_someip_sd_option, &ti_top, "%d: %s Option", optionnum, description); ++ tree = proto_tree_add_subtree_format(tree, tvb, offset, length, ett_someip_sd_option, &ti_top, "%u: %s Option", optionnum, description); + + if (length != SD_OPTION_IPV4_LENGTH) { + expert_add_info(pinfo, ti_top, &ei_someipsd_option_wrong_length); +@@ -418,7 +419,7 @@ dissect_someip_sd_pdu_option_ipv4(tvbuff_t *tvb, packet_info *pinfo, proto_tree + } + + static void +-dissect_someip_sd_pdu_option_ipv6(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, uint32_t offset, uint32_t length, int optionnum, uint32_t option_ports[]) { ++dissect_someip_sd_pdu_option_ipv6(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, uint32_t offset, uint32_t length, unsigned optionnum, uint32_t option_ports[]) { + uint8_t type = 255; + const char *description = NULL; + uint32_t l4port = 0; +@@ -431,7 +432,7 @@ dissect_someip_sd_pdu_option_ipv6(tvbuff_t *tvb, packet_info *pinfo, proto_tree + type = tvb_get_uint8(tvb, offset + 2); + description = val_to_str(type, sd_option_type, "(Unknown Option: %d)"); + +- tree = proto_tree_add_subtree_format(tree, tvb, offset, length, ett_someip_sd_option, &ti_top, "%d: %s Option", optionnum, description); ++ tree = proto_tree_add_subtree_format(tree, tvb, offset, length, ett_someip_sd_option, &ti_top, "%u: %s Option", optionnum, description); + + if (length != SD_OPTION_IPV6_LENGTH) { + expert_add_info(pinfo, ti_top, &ei_someipsd_option_wrong_length); +@@ -471,11 +472,11 @@ dissect_someip_sd_pdu_option_ipv6(tvbuff_t *tvb, packet_info *pinfo, proto_tree + } + + static void +-dissect_someip_sd_pdu_option_unknown(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, uint32_t offset, uint32_t length, int optionnum) { ++dissect_someip_sd_pdu_option_unknown(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, uint32_t offset, uint32_t length, unsigned optionnum) { + uint32_t len = 0; + proto_item *ti; + +- tree = proto_tree_add_subtree_format(tree, tvb, offset, length, ett_someip_sd_option, &ti, "%d: %s Option", optionnum, ++ tree = proto_tree_add_subtree_format(tree, tvb, offset, length, ett_someip_sd_option, &ti, "%u: %s Option", optionnum, + val_to_str_const(tvb_get_uint8(tvb, offset + 2), sd_option_type, "Unknown")); + + expert_add_info(pinfo, ti, &ei_someipsd_option_unknown); +@@ -500,7 +501,7 @@ static int + dissect_someip_sd_pdu_options(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, proto_item *ti, uint32_t offset_orig, uint32_t length, uint32_t option_ports[], unsigned *option_count) { + uint16_t real_length = 0; + uint8_t option_type = 0; +- int optionnum = 0; ++ unsigned optionnum = 0; + tvbuff_t *subtvb = NULL; + + uint32_t offset = offset_orig; +@@ -511,7 +512,11 @@ dissect_someip_sd_pdu_options(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tre + } + + while (tvb_bytes_exist(tvb, offset, SD_OPTION_MINLENGTH)) { +- ws_assert(optionnum >= 0 && optionnum < SD_MAX_NUM_OPTIONS); ++ if (optionnum >= SD_MAX_NUM_OPTIONS) { ++ expert_add_info(pinfo, ti, &ei_someipsd_too_many_options); ++ return offset; ++ } ++ + option_ports[optionnum] = 0; + + real_length = tvb_get_ntohs(tvb, offset) + 3; +@@ -1290,6 +1295,7 @@ proto_register_someip_sd(void) { + { &ei_someipsd_option_wrong_length,{ "someipsd.option_wrong_length", PI_MALFORMED, PI_ERROR, "SOME/IP-SD Option length is incorrect!", EXPFILL } }, + { &ei_someipsd_L4_protocol_unsupported,{ "someipsd.L4_protocol_unsupported", PI_MALFORMED, PI_ERROR, "SOME/IP-SD Unsupported Layer 4 Protocol!", EXPFILL } }, + { &ei_someipsd_config_string_malformed,{ "someipsd.config_string_malformed", PI_MALFORMED, PI_ERROR, "SOME/IP-SD Configuration String malformed!", EXPFILL } }, ++ { &ei_someipsd_too_many_options,{ "someipsd.too_many_options", PI_MALFORMED, PI_ERROR, "SOME/IP-SD Too many options!", EXPFILL } }, + }; + + /* Register Protocol, Fields, ETTs, Expert Info, Taps, Dissector */ diff -Nru wireshark-4.4.7/debian/patches/series wireshark-4.4.7/debian/patches/series --- wireshark-4.4.7/debian/patches/series 2025-06-10 11:45:06.000000000 -0300 +++ wireshark-4.4.7/debian/patches/series 2026-01-21 21:07:15.000000000 -0300 @@ -1,3 +1,6 @@ 0001-tools-Use-esnacc-instead-of-snacc-in-asn2deb.patch 09_idl2wrs.patch 0004-Use-packaged-JS-and-CSS-resources-instead-of-pulling.patch +CVE-2026-0959.patch +CVE-2026-0961.patch +CVE-2026-0962.patch
signature.asc
Description: PGP signature
